Augmented reality for compromised ATMs

ABSTRACT

Examples described herein relate to apparatuses and methods of providing automated teller machine (ATM) status notifications using augmented reality. A method includes capturing, by a user device, an image of the ATM, determining a probability that the ATM has been compromised, augmenting the image of the ATM in a manner which reflects the probability that the image has been compromised, and displaying the augmented image on a user interface of the user device.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a Continuation of U.S. patent applicationSer. No. 15/980,530 titled “AUGMENTED REALITY FOR COMPROMISED ATMS,”filed May 15, 2018, which is incorporated herein by references in itsentirety and for all purposes.

TECHNICAL FIELD

Embodiments of the present disclosure relate generally to the field ofdetecting fraudulent activity.

BACKGROUND

Automated teller machines (ATMs) or other payment terminal devices maybe compromised by fraudsters placing skimming devices, cameras, or otherdata capture devices on the ATM. Users of an ATM that has beencompromised by one or more of these devices may have their credit ordebit card data and other personal information stolen by fraudsters whoinstalled the devices. Augmented reality (AR) is the integration ofdigital information with a user's environment in real-time. Unlikevirtual reality, which creates a totally artificial environment,augmented reality uses the existing environment and overlays newinformation on top of it. Generally, computing applications, such assmart phone applications, can be tailored to present differentinterfaces and information to users for different purposes. Thedifferent interfaces and information may relate to services performed atan ATM or other financial services. For example, a banking applicationmay present different interfaces depending on the desired bankingservice the customer is accessing via the banking application. Thebanking application may present a first interface for viewing accountbalances, a second interface for locating the nearest ATMs or branches,a third interface for executing transfers between accounts, a fourthinterface for paying bills, and so on.

SUMMARY

A first example embodiment relates to a method. The method includescapturing, by a user device, an image of the ATM, determining aprobability that the ATM has been compromised, augmenting the image ofthe ATM in a manner which reflects the probability that the image hasbeen compromised, and displaying the augmented image on a user interfaceof the user device.

Another example embodiment relates to a provider computing system. Thesystem includes a network interface and a processing circuit includingone or more processors coupled to non-transitory memory, the memorycomprising an ATM database. The processing circuit is configured toreceive a captured image of an ATM from a user device, retrieve storedreference images from the ATM database, compare the captured image andthe stored reference images, and determine a discrepancy between thecaptured image and the one or more stored reference images, thediscrepancy relating to a physical modification of the ATM. Theprocessing circuit is further configured to calculate a compromise scorebased at least on the discrepancy, generate compromise data including atleast the compromise score, and transmit the compromise score to theuser device to be displayed on a viewing area of the user device.

Another example embodiment relates to a computer-implemented method. Themethod includes receiving, by a provider computing system, a capturedimage of an ATM from a user device proximate the ATM, retrieving one ormore stored reference images from the ATM database, comparing thecaptured image and the one or more stored reference images, anddetermining a discrepancy between the captured image and the one or morestored reference images, where the discrepancy relates to a physicalmodification of the ATM. The method further includes calculating acompromise score based at least on the discrepancy, generatingcompromise data including at least the compromise score, andtransmitting the compromise score to the user device to be displayed ona viewing window of the user device.

Another example embodiment relates to a mobile device. The mobile deviceincludes a network interface circuit structured to communicate data toand from a provider computing system associated with a provider, alocation position sensor structured to determine location data of themobile device, an input/output device structured to exchange data with auser, and a processing circuit comprising a processor and memory. Theprocessing circuit is structured to determine, by the location positionsensor, location position data of the mobile device, transmit, by thenetwork interface circuit, the location position data to the providercomputing system, capture and transmit an ATM image to the providercomputing system, and receive, by the network interface circuit,compromise data from the provider computing system. The compromise dataincludes a compromise score. The processing circuit is furtherstructured to generate and display, by the input/output device, a userinterface comprising an augmented reality overlay on a viewing window,the augmented reality overlay including the compromise score.

These and other features, together with the organization and manner ofoperation thereof, will become apparent from the following detaileddescription when taken in conjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 is a block diagram depicting an example environment for providingATM status notifications, according to an example embodiment.

FIG. 2 is a block diagram depicting a user device of the environment inFIG. 1, according to an example embodiment.

FIG. 3 is a flow diagram depicting a method for providing real-time ATMstatus notifications using augmented reality, according to an exampleembodiment.

FIG. 4 is a flow diagram depicting a method for providing real-time ATMstatus notifications using augmented reality, according to an exampleembodiment.

FIG. 5 is a schematic diagram depicting an example user interface of theuser device used in the environment in FIG. 1, according to an exampleembodiment.

FIG. 6 is a schematic diagram depicting another example user interfaceof the user device used in the environment in FIG. 1, according to anexample embodiment.

FIG. 7 is a schematic diagram depicting another example user interfaceof the user device used in the environment in FIG. 1, according to anexample embodiment.

FIG. 8 is a schematic diagram depicting another example user interfaceof the user device used in the environment in FIG. 1, according to anexample embodiment.

FIG. 9 is a schematic diagram depicting another example user interfaceof the user device used in the environment in FIG. 1, according to anexample embodiment.

DETAILED DESCRIPTION

Referring to the figures generally, systems and methods of providingreal-time notifications of detected compromised devices are described.Based on location data, historical data, captured image data,crowd-sourcing data, and other various data, the system described hereindetects whether and to what probability an ATM or other payment terminaldevice has been compromised. For example, an ATM may be compromised byfraudsters who attach physical devices, such as card skimmers orcameras, to an ATM to capture credit/debit card numbers, personalidentification numbers (PINs), and other data. The stolen data can beused to make fraudulent purchases or sold to other fraudsters. However,in order to install data capture devices on an ATM, fraudsters may needto make physical modifications to the ATM and/or use devices whichtransmit signals (e.g., Bluetooth signals) not indicative of an ATMsignal. The system described herein assists in the detection of thosemodifications. As referred to herein, the term “compromised” refers toan ATM or payment terminal device that has been tampered with ormodified, including, but not limited, an ATM having a skimming deviceinstalled in the card reader, an installed camera, a keypad device, etc.

Accordingly, the present disclosure is directed to systems and methodsfor providing a consumer with real-time notifications on the likelihoodof an ATM being compromised. Using a client application on a userdevice, the system provides a user with an AR view overlaid on an imageof the ATM, indicating if and to what probability the ATM has beencompromised. Before a user uses an ATM, the user can use their userdevice (e.g., smartphone) to capture the location and an image of theATM. The location and image data is transmitted to the system describedherein which compares the image of the device against prior images ofthe device previously logged in the system, any data about that specificdevice (e.g., location data), and previous attempts to compromise thatspecific device, as well as any other trend and historical data aboutthat device and its location. Using the gathered data, the system thenmakes a determination of a probability that the device has beencompromised and transmits that data back to the user device. Based onthe received information, the client application on the user deviceconstructs an augmented reality overlay over the live image of thedevice, also displaying the calculated probability that the device hasbeen tampered with among other generated information, such as whichportion of the ATM has been compromised, etc. In general, a usercontemplating whether to use a particular ATM may improve the informeddecision-making process by using an application on the user device thatuses AR to determine whether the ATM is compromised. The applicationprovides real-time probability and status recommendations, along withother data described further herein, to the user.

The embodiments described herein solve the technical problem ofdetecting potential compromise or tampering of an ATM's components thatmay otherwise go unnoticed by a user of the ATM. By leveraging uniquelyassembled information sets, including historical data relating to thecompromise of ATMs, crowd-sourcing compromise data over a period oftime, as well as gathering signal data that may indicate a compromise,the systems and methods described herein facilitate the detection ofcompromised ATMs. In this regard, the systems and methods hereinintegrate previously unconnected data to provide a real-time tailoreddetermination of the likelihood that components of a particular ATM havebeen tampered with to benefit users of the ATM. In addition, the earlydetection of ATM compromise, along with preemptive warnings as describedherein, facilitate the early repair or replacement of the ATMs, which inturn, limits the amount of users affected by such a compromise. Due tothe reduction of user accounts that are affected by compromised ATMs,providers of the ATMs are required to use less resources, time, andpotential computer processing and memory requirements on monitoringaccount activity and resolving fraudulent activity stemming from ATMcompromises.

Referring to FIG. 1, an ATM status management system 100 is shown,according to an example embodiment. The management system 100 includes,among other systems, a user device 102, a provider computing system 104,and one or more ATMs 106. The provider computing system includes an ATMmanagement circuit 122 that is integrated within or otherwisecommunicable with, the provider computing system 104. The user device102, provider computing system 104, and ATM 106 may communicate directlyor through a network 110, which may include one or more of the Internet,cellular network, Wi-Fi, Wi-Max, a proprietary banking network, or anyother type of wired or wireless network.

The user device 102 is a computing device associated with a user. Insome arrangements, the user is an account holder of at least one accountmanaged by the provider (associated with provider computing system 104).An example account may include a checking account, a savings account, acredit account, an investment account, a retirement account, a brokerageaccount, a mortgage account, a rewards account, and the like. Suchaccounts may include information indicating account balances, accountactivities, profile information (e.g., contact information of user), ATMtransaction history, etc. An example of ATM transaction historyinformation may include past withdrawal or deposit activities, and pastATM status identification activities (e.g., including transmitting animage of an ATM 106 and receiving a compromise identification andscore).

The user device 102 includes any type of computing device that may beused to conduct financial transactions and/or receive information fromthe provider computing system 104 or the ATM 106. In some arrangements,the user uses the user device 102 to both communicate information to theATM 106 over the network 110 as well as communicate information with theprovider computing system 104. In this regard, the user device 102 mayinclude any wearable or non-wearable device. Wearable devices refer toany type of device that an individual wears including, but not limitedto, a watch (e.g., smart watch), glasses (e.g., eye glasses, sunglasses,smart glasses, etc.), bracelet (e.g., a smart bracelet), etc. The userdevice 102 may also include any type of mobile device including, but notlimited to, a phone (e.g., smart phone, etc.), tablet, personal digitalassistant, and/or computing devices (e.g., desktop computer, laptopcomputer, personal digital assistant, etc.).

In the example embodiment shown in FIG. 2, the user device 102 includesa network interface 140 enabling the user device 102 to exchangeinformation over the network 110, an input/output (“I/O”) device 142, alocation position sensor 144, and a client application 148. The I/Odevice 142 is configured to exchange information with the user. An inputdevice or component of the I/O device 142 allows the user to provideinformation to the user device 102, and may include, for example, amechanical keyboard, a touchscreen, a microphone, a camera, afingerprint scanner, any user input device engageable with the userdevice 102 via a USB, serial cable, Ethernet cable, and so on.Specifically, the input device includes one or more cameras (e.g.,digital camera, video camera) for capturing visual data (e.g., stillimages or digital video) representing the user's view through a viewingarea (e.g., viewing area 502 of FIG. 5) of the user device 102. Anoutput device or component of the I/O device 142 allows the user toreceive information from the user device 102, and may include, forexample, a digital display (e.g., an AR overlay display), a speaker,illuminating icons, LEDs, and so on.

The location position sensor 144 is structured to receive location dataand determine a location or receive information indicative of a locationof the user device 102. In one embodiment, the location position sensor144 includes a global positioning system (GPS) or any other type oflocation positioning system. As such, the location position sensor 144receives latitude data, longitude data, and any other type of locationor position data to determine the location of the user device 102. Inother embodiments, the location position sensor 144 receives an explicitlocation identification from the user of the user device 102. All suchvariations are intended to fall within the spirit and scope of thepresent disclosure.

The client application 148 is structured to provide displays to the userdevice 102 that enable the user to manage provider accounts.Accordingly, the client application 148 is communicably coupled to theprovider computing system 104 (e.g., the ATM management system 122, theaccounts database 132, etc.). In some embodiments, the clientapplication 148 may be incorporated with an existing application in useby the provider (e.g., a mobile banking application or a mobile walletapplication). In other embodiments, the client application 148 is aseparate software application implemented on the user device 102. Theclient application 148 may be downloaded by the user device 102 prior toits usage, hard coded into the memory of the user device 102, or be aweb-based interface application such that the user device 102 mayprovide a web browser to the application, which may be executed remotelyfrom the user device 102. In the latter instance, the user may have tolog onto or access the web-based interface before usage of theapplications. Further, and in this regard, the client application 148may be supported by a separate computing system including one or moreservers, processors, network interface circuits, etc. that transmitapplications for use to the user device 102. In certain embodiments, theclient application 148 includes an API and/or a software development kit(SDK) that facilitate the integration of other applications with theclient application 148. For example, the client application 148 mayinclude an API that facilitates the receipt of information pertaining tothe status of the ATM 106 as described further below.

The displays presented to the user via the client application 148 may beindicative of current account balances, pending transactions, profileinformation (e.g., contact information), and the like. Further, in someembodiments, the client application 148 is also structured to presentdisplays pertaining to the status of an ATM (e.g., whether and to whatprobability an ATM has been compromised). For example, the clientapplication 148 is configured to present the user with a display thatgives the user the ability to determine whether an ATM has beencompromised. In some arrangements, the user is presented with displaysallowing the user to capture images of the ATM 106 (e.g., via the I/Odevice 142).

The user device 102 includes an augmented reality circuit 146 configuredto overlay the ATM status data in a region of the viewing area (e.g.,viewing area 502 shown in FIG. 5) on top of the image of the ATM 106 theuser is viewing. For example, upon receipt of the ATM status data (e.g.,compromise data described further herein), the augmented reality circuit146 assembles the ATM status data based on executable instructionsincluded in the ATM status data received from the provider computingsystem 104 and displays the ATM status data over the image of the ATM106 in the viewing area of the user device 102.

The user may visit an ATM 106 with the user device 102. For example, insome arrangements, the user carries the user device 102 to the ATM 106.Depending on the purpose of the user's visit to the ATM 106, thecustomer may access a specific interface of the application beingexecuted on the user device 112. For example, if the purpose of thevisit is to withdraw cash from an ATM, the user may be able to pre-stagethe ATM transaction through an ATM user interface of the clientapplication 148.

According to an embodiment of the disclosure, the ATM 106 is capable ofboth receiving deposits and dispensing funds. For example, the ATM 106may include a currency dispenser that is used to dispense currency whenthe user wishes to perform a cash withdrawal. The ATM 106 may alsoinclude a deposit slot that is configured to receive paper currency andchecks when the user wishes to make a deposit. The ATM may also beconfigured to perform other operations, such as allowing the user tocheck account balances, purchase stamps, and so on. In one embodiment,the ATM 106 is owned and operated by the provider associated with theprovider computing system 104. In other embodiments, the ATM 106 and theprovider are owned and operated by different entities. Account holdersmay choose to use ATMs owned by different providers as a matter ofconvenience. For example, an account holder of a first provider maywithdraw money using an ATM owned by the second provider because thesecond provider's ATM is located closer to the account holder's home orworkplace.

The ATM 106 includes a transaction card slot configured to receive atransaction card inserted by a user. The ATM 106 may further include akeypad, or similar user input device, containing a number of buttons(e.g., alphanumeric, etc.) configured to receive input (e.g., a PIN)from a user. Additionally or alternatively, the ATM 106 may incorporatesimilar user input devices such as touch screens, gesture recognition,and so on. The user utilizes the user input devices, such as the keypad,to navigate a guided user interface (GUI) of the ATM 106. The GUI allowsthe user to perform the various functions of the ATM 106 and alsodisplay information (e.g., prompts, images, text, etc.) to the user. Forexample, the GUI of the ATM 106 may display account information (e.g.,account balance, account number, etc.) to the user.

To initiate a transaction with the ATM 106, a user may insert an ATMcard 101 into a transaction card slot of the ATM 106. The ATM card 101may be one of several types of transaction cards, including a debitcard, a credit card, a stored value card, and the like. The transactioncards may be associated with various financial instruments, including ademand deposit account and/or a line of credit. In some embodiments,data used to identify the instrument is stored on the ATM card 101 on atleast one of a magnetic stripe and/or a smart chip 103 (e.g., an EMVchip). The magnetic stripe stores static data, including the primaryaccount number (PAN) associated with the financial instrument as well asa static card security code. Different payment brands refer to thissecurity code as a card verification value (CVV), card verification code(CVC), card ID (CID), or the like. Because the data is static, themagnetic stripes can be easily cloned or duplicated by thieves usingskimming devices or other methods. Thus, transactions cards containingonly magnetic stripes are at greater risk for fraud. Although the riskof fraudulent activity may be significantly reduced through the use oftransaction cards containing smart chips, there is still a potential forfraud even with the use of smart chips. For example, through the use ofattachable physical devices, such as cameras, on the ATM 106, afraudster can capture the card number, the cardholder's name, thesecurity code, and the PIN of the ATM card 101 to use during an onlinetransaction, without the need to insert the card at an ATM or at amerchant point-of-sale terminal. Thus, the system and methods describedherein are configured to detect potential compromises targeting bothmagnetic stripes and smart chips.

The smart chip 103 is a secure integrated circuit chip with amicroprocessor and memory that is embedded on the ATM card 101 andconfigured to facilitate dynamic and cryptographic authentication ofaccount information. The microprocessor on the integrated circuit chipmay store applications related to the authentication process. Unlike thestatic data of the magnetic stripe, every time a transaction cardcontaining a smart chip is used, the smart chip creates a uniquetransaction code (i.e., distinct from the CVV, CVC, or CID stored on themagnetic stripe) that is utilized to verify a given transaction.

Still referring to FIG. 1, the transaction card slot of the ATM 106 isconnected to a card reader. ATM card readers may operate via one ofthree user actions: swiping, dipping, and inserting. Swiping involvesthe user passing only the magnetic stripe of a transaction card througha reader. Dipping involves quickly inserting and then removing the cardfrom the card reader. Inserting involves inserting the transaction cardfully into a card slot, where it is “grabbed” by the reader to remainwithin the terminal for the duration of the transaction. After the ATMcard 101 has been authenticated, details of the withdrawal transactionand financial instrument data obtained from the ATM card 101 (e.g.,smart chip 103) may be transmitted to the provider computing system 104via the network 110, where the transaction is processed.

The provider computing system 104 is operated by a provider, which is anentity that facilitates various types of transactions between the userdevice 102 and various other entities. The provider manages the debitand/or credit card held by the user requesting funds from the ATM 106.For example, the provider may be a bank, credit union, a paymentservices company, or other similar entities. The provider computingsystem 104 includes, among other systems, a network interface 120enabling the provider computing system 104 to exchange data over network110, a processing circuit 114, and an ATM management circuit 122.

The processing circuit 114 includes a processor 116 and memory 118. Theprocessor 116 may be implemented as one or more application specificintegrated circuits (ASICs), field programmable gate arrays (FPGAs), agroup of processing components, or other suitable electronic processingcomponents. Memory 118 may be one or more devices (e.g., RAM, ROM, Flashmemory, hard disk storage) for storing data and/or computer code forcompleting and/or facilitating the various processes described herein.Memory 118 may be or include non-transient volatile memory, non-volatilememory, and non-transitory computer storage media. Memory 118 mayinclude database components, object code components, script components,or any other type of information structure for supporting the variousactivities and information structures described herein. Memory 118 maybe communicably coupled to the processor 116 and include computer codeor instructions for executing one or more processes described herein.

Still referring to FIG. 1, the provider computing system 104 is furthershown to include an ATM management circuit 122. The ATM managementcircuit 122 is configured to determine whether and the likelihood thatan ATM has been compromised by a fraudster. The ATM management circuit122 includes an ATM database 126, a status analysis circuit 124, and anotification circuit 128. While various circuits, interfaces, and logicwith particular functionality are shown, it should be understood thatthe ATM management system 122 includes any number of circuits,interfaces, and logic for facilitating the functions described herein.For example, the activities of multiple circuits are combined as asingle circuit and implemented on the same processing circuit.

The ATM database 126 is structured to retrievably store informationpertaining to an inventory of ATMs 106. The ATM database 126 may includenon-transient data storage mediums (e.g., local disc or flash-based harddrives, local network servers, and the like) or remote data storagefacilities (e.g., cloud servers). The ATM database 126 storesinformation regarding the make and model, location, and status of ATMs106 including whether the ATM is operational and whether the ATM hasbeen compromised in the past. The ATMs 106 stored in the ATM database126 can include both ATMs 106 owned and operated by the provider andATMs owned and operated by other third party providers. In variousarrangements, historical compromise information may include an ATMidentifier, the date and time of a reported ATM status, the location ofthe ATM, the make and model of the ATM, the type of ATM components thatwere compromised (e.g., card reader, keypad, etc.), the number of timesan ATM has been deemed compromised, etc. Additionally, the ATM database126 may also include a listing of ATMs and locations that have neverbeen reported as compromised.

In some arrangements, the ATM database 126 stores reference images ofthe ATMs 106. For each possible make and model of ATM 106, the ATMdatabase 126 stores a reference image. The reference image may beprovided by the manufacturer of the ATM 106. The reference image canalso include a crowd-sourced image generated using previously receivedimages of that make and model of ATM 106 and/or of the particular ATM106 under consideration. The reference image includes an image of whatthe ATM is supposed to look like if the ATM 106 has not been compromisedor tampered with (e.g., the ATM 106 without any physical modifications).Each reference image includes reference image components for eachcomponent of the ATM 106. For example, the reference image includesreference image components of the card reader, keypad, machine overlay,and overall look of the ATM 106 such that the ATM management circuit 122can determine whether any of the components has been physicallymodified.

The status analysis circuit 124 is structured to receive a capturedimage of an ATM 106 from the client application 148 of the user device102, determine the appropriate reference image to use for a comparison,and complete a comparison of the captured image to the appropriatereference image stored in the ATM database 126. Accordingly, the statusanalysis circuit 124 is communicably and operatively coupled to the ATMdatabase 126 to determine the make and model of the ATM 106 and retrievethe ATM reference images. The status analysis circuit 124 also receiveslocation information of the user device 102 from the location positionsensor 144 of the user device 102. Using the location information of theuser device 102, the status analysis circuit 124 determines theapproximate location of the ATM 106 near the position of the user device102 and determines the particular ATM 106, including the ATM identifierand the make and model of the ATM 106.

Using this information, the status analysis circuit 124 retrieves theappropriate reference image(s) from the ATM database 126 and completes acomparison between the captured image and the stored reference image todetermine if and how an ATM 106 has been compromised. The captured imageincludes analog or digital information representing the user's view ofthe ATM 106 through a viewing area (e.g., viewing area 502 of FIG. 5) ofthe user device 102. In some arrangements, the captured image is apicture taken by a camera of the user device 102. In other arrangements,the captured image is a live-feed image (e.g., as a user views the ATMthrough in the viewing area 502) captured by the camera of the userdevice 102. As noted above, the reference image(s) can include both amanufacturer image of the ATM 106 as well as historical crowd-sourcedimages of either that particular ATM 106 or ATMs 106 of the same makeand model. In addition to the overall look of the ATM 106, the referenceimages include reference image components including, but not limited to,card readers, keypads, and machine overlays.

Accordingly, the status analysis circuit 124 compares the overall lookof the ATM 106 to the reference images, and in addition, compares eachof the reference image components to the respective captured imagecomponents. For example, the captured image received by the statusanalysis circuit 124 includes a captured image component of a cardreader. The status analysis circuit 124 compares the captured image ofthe card reader to the reference image card reader component todetermine any physical differences. In some instances when an ATM 106has been compromised, a wire or other electronic device may be visibleextending from the card reader of the ATM 106. In other instances, aplastic sheet may be placed over the keypad of the ATM 106. In otherinstances, one or more cameras may be positioned on the ATM 106 tocapture card numbers and PINs. Various other physical modifications maybe indicative of a compromise. The status analysis circuit 124 is thusconfigured to compare all components of the ATM to the reference imagecomponents to determine whether the overall look of the ATM matches withthe reference image and, in particular, if any of the components of theATM appears modified (e.g., because it includes additional suspiciousstructures).

In other arrangements, the status analysis circuit 124 is alsostructured to receive data from the user device 102 indicative ofsignals detecting compromising devices, such as cameras and electronicreaders which may have been attached to the ATM 106 and are transmittingsignals that are not indicative of an ATM signal. For example, the userdevice 102 may detect a Bluetooth signal separate from an ATM signal. Inaddition, the user device 102 may detect other ambient data capturedevices in the area proximate the ATM 106 using smartphone sensors(e.g., Bluetooth, Wi-Fi, etc.). For example, a camera that may beconfigured to capture a user's PIN may not be near the ATM 106, but canbe positioned by a fraudster to capture a PIN some distance away fromthe ATM 106. The camera may use a Wi-Fi protocol to connect to theInternet and is detectable by the user device 102 using Wi-Fi sensors.In this case, the client application 148 of the user device 102 may alsoreport the detection of this signal. The status analysis circuit 124receives the detected signal and can determine without a visualcomparison check against reference images that a compromise is likely tohave occurred. An ongoing log of detected signals at an ATM 106 may bestored in the ATM database 126 and retrieved by the status analysiscircuit 124 to determine historical trends in the presence of thenon-ATM signal. Using this information, the status analysis circuit maybe able to determine that the signal is likely related to a compromiseof the ATM 106. For example, if no Bluetooth signals have traditionallybeen detected at a particular ATM, but suddenly a Bluetooth signal wasconducted by recent users of the ATM 106, then that suggests thepresence of a new Bluetooth signal which further suggests that the ATM106 may have been compromised. Further, initially, the probability ofcompromise may be determined as low, but not non-existent (e.g., theBluetooth signal may simply be the result of an innocent person using aBluetooth headset in the vicinity of the ATM, and that person may soonleave). However, as time goes on, the probability of compromise may bedetermined as higher (e.g., because the number of innocent explanationsfor a new Bluetooth signal in the vicinity of the ATM is assumed to godown as time goes on).

The status analysis circuit 124 is also structured to retrievehistorical ATM data from the ATM database 126. The historical data mayinclude a listing of ATM locations, ATM identifiers, ATM locations, themake and model of the ATM, the date and time of a reported ATM status,the type of ATM components that were compromised (e.g., card reader,keypad, etc.), the number of times an ATM has been deemed compromised,etc. Using the historical data, the status analysis circuit 124 can useanalysis of whether the ATM has been reported as compromised a certainnumber of times, the ATM status trends (e.g., whether the ATM has beenreported within the last week, month, etc.), the types of componentsthat have been compromised, etc., to determine the likelihood of whetherthe ATM 106 is compromised.

After completing the comparison of the reference and captured images,analysis of the detection of non-ATM signals, and retrieving thehistorical data of the particular ATM 106, the status analysis circuit124 calculates the probability of a compromise of the ATM (referred toherein as a “compromise score”). The compromise score is calculatedusing the historical data of the ATM 106 in combination with the ATMcomparison information and signal information. The compromise score iscalculated as a percentage of likelihood that the ATM is compromised. Inother words, if the likelihood (i.e., probability) that the ATM has beencompromised is determined to be 1, the percentage of likelihood that theATM has been compromised may be expressed as 100%. In some otherarrangements, the compromise score is calculated as a percentage oflikelihood that the ATM is not compromised. In other arrangements, thecompromise score may take other forms, such as a rating ranging from oneto ten. In other arrangements, the compromise score reflects a relative“pass” or “fail” score. For example, if the status analysis circuit 124determines that there is a likelihood of 95% that the ATM is notcompromised, a “pass” score of 95% is given. If the status analysiscircuit 124 determines that there is a 65% likelihood that the ATM iscompromised, then a 65% “fail” score is given. The relative pass andfail scores are reflected in the user interface 600 of FIG. 6 describedbelow.

In another arrangement, the status analysis circuit 124 receivesindications that a number of debit or credit cards have been determinedto have been compromised due to reports from various users of fraudulenttransactions (e.g., stored in the ATMs database 126). The statusanalysis circuit 124 can determine that a common link between thecompromised cards is that all of the compromised cards were used at aparticular ATM 106. In some arrangements, the status analysis circuit124 also determines that the compromised cards were used at theparticular ATM 106 within a certain period of time (e.g., all of thecompromised cards were used at the ATM 106 over the last two weeks,etc.). The status analysis circuit 124 can then determine that the ATM106 is likely to have been compromised due to this common link. Withoutcomparing any visual data or receiving indications of non-ATM signals(e.g., Bluetooth signals), the status analysis circuit 124 determinesthe ATM 106 is compromised based on this linkage information.

In some arrangements, the ATM location data may also be used todetermine the compromise score. Using the location data, the statusanalysis circuit 124 can determine that the suspect ATM 106 is locatedin a high-traffic location, such as a sports stadium or a music venue,where many users access the ATM 106 such that a fraudster may targetthat ATM 106 in particular. If the ATM 106 is positioned in a relativelyhigh-traffic area, the status analysis circuit 124 may increase thecompromise score (e.g., probability that the ATM is compromised).

In some arrangements, a certain make and model of an ATM 106 may beidentified as being particularly susceptible to compromise. For example,the ATM database 126 may store information relating to the number oftimes a particular make and model of an ATM is compromised. If one typeof ATM is compromised significantly more than others, that make andmodel may be identified to be more susceptible to being compromised byfraudsters.

In some arrangements, the status analysis circuit 124 weighs thehistorical information and the comparison information based on therecency of the data. In one example, the status analysis circuit 124weighs more recent historical compromise data as higher than olderhistorical compromise data in calculating the compromise score. Inanother example, crowd-sourced images that were gathered one week agoare weighed as more relevant than images that were gathered one yearago.

As one example, if the status analysis circuit 124 has identified theATM card reader as potentially physically modified through a comparisonto reference images, and the card reader of the ATM 106 has beenindicated as compromised within the last week by another user, thestatus analysis circuit 124 will calculate a relatively high compromisescore (e.g., 95%). As another example, if the status analysis circuit124 has determined that the ATM 106 has been reported compromisedmultiple times within a certain amount of time, the status analysiscircuit 124 will calculate a relatively high compromise score. In yetanother example, if the status analysis circuit 124 does not identifyany discrepancies between the captured and the reference images, andthere is only one relatively old past report of the ATM 106 beingcompromised, the status analysis circuit 124 may calculate a relativelylow compromise score.

In some arrangements, a “pass” or “fail” status is given to the ATM 106based on a predetermined compromise score threshold. As an example, thepredetermined compromise score threshold is 40% such that if thecompromise score is calculated as a 40% certainty that the ATM 106 hasbeen compromised, the ATM 106 is given a “fail” score. In this example,any compromise score at or above 40% is deemed as a “fail” status andany number below 40% is deemed as a “pass” status. This particularexample is not meant to be limiting.

After calculating the compromise score, the status analysis circuit 124communicates the compromise data, including the compromise score, whichcomponents were deemed compromised, etc., to the notification circuit128 to notify appropriate entities (e.g., user using user device 102,supplier of the ATM 106). Accordingly, the status analysis circuit 124is communicably and operatively coupled to the notification circuit 128.

The notification circuit 128 is configured to transmit the compromisescore to the user device 102 to be displayed (e.g., overlaid) on theuser device 102 (e.g., in client application 148). As such, thenotification circuit 128 is communicably and operatively coupled to theuser device 102 to transmit the compromise score and other ATM data tobe displayed on the user device 102. In some arrangements, thenotification circuit 128 is also structured to transmit a notificationto an ATM supplier that an ATM 106 may have been compromised in order tosend out a maintenance crew to repair or replace the ATM 106. In somearrangements, the notification circuit 128 is configured to shut downthe operation of the ATM 106. As such the notification circuit 128 maybe communicably and operatively coupled to the ATM 106 to shut down theATM 106 so that the functionality of the ATM is not accessible until theATM is repaired or replaced. In this arrangement, the notificationcircuit 128 is also configured to transmit a message to the user device102 notifying the user of the next nearest ATM or of a non-compromisedATM nearby.

In some arrangements, alternatively, or in addition to the ATMmanagement circuit 122 of the provider computing system 104 determininga compromise score (e.g., probability) that the ATM 106 has beencompromised, the user device 102 is also capable of making thisdetermination. The user device 102 (e.g., client application 148)receives the ATM information (e.g., historical ATM information, ATMidentifier, ATM make and model, etc.) from the provider computing system104 and determines (e.g., calculates) the compromise data, including thecompromise score (e.g., probability that the ATM 106 has beencompromised).

Referring now to FIG. 3, a flow diagram of a method 300 of providingreal-time ATM status notifications using augmented reality is shown,according to an example embodiment. In various embodiments, the method300 is performed by the components shown in FIGS. 1-2 such thatreference may be made to the components of FIGS. 1-2 to aid thedescription of the method 300.

A prompt to open the client application is received at 302. In somearrangements, the prompt is received by the I/O device 142 of the userdevice 102. The prompt may include a selection of an icon on the displayof the user device 102. The client application is started at 304. TheI/O device 142 of the user device 102 is updated to display a clientapplication 148 interface. The provider computing system is informed ofthe ATM location at 306. In some arrangements, the location positionsensor 144 determines the location of the user device 102 and transmitsthe location to the ATM management system 122 of the provider computingsystem 104. As described further herein, the location of the user device102 can be indicative of the ATM location due to the user beingproximate the ATM 106 during or before performing a transaction.

The user is prompted to view the ATM through the application at 308. Insome arrangements, the user is prompted to view the ATM 106 through theclient application 148. The client application 148 receives and displaysa message from the provider computing system 104 (e.g., ATM managementsystem 122) to view the ATM through the application. The ATM image iscaptured at 310. In some arrangements, the ATM is captured using the I/Odevice 142 of the user device 102. A camera component of the I/O device142 either takes a picture of the ATM 106 through the client application142 and/or the ATM 106 is viewed through the camera as a live-feed.

The ATM captured image is transmitted to the provider computing systemat 312. In some arrangements, the ATM captured image is transmitted tothe provider computing system 104 over network 110 (e.g., via networkinterface 140 of the user device 102). The compromise data is receivedfrom the provider computing system at 314. In some arrangements, asdescribed with regard to method 400 shown in FIG. 4, the compromise datais generated by the ATM management system 122 (e.g., status analysiscircuit 124). The compromise data received from the provider computingsystem is overlaid on the user interface of the user device at 316. Insome arrangements, the user device 102 receives the compromise data andthe AR circuit 146 overlays the data, including text and images, ontothe viewing area of the user device 102 when the user is in the clientapplication 148. As shown in various user interfaces 500-900 describedherein with regard to FIGS. 5-9, the compromise data may be displayed inthe form of a compromise score and compromise indicators overlaid on theviewing area (e.g., viewing areas 502, 602 shown in FIGS. 5-6) of theuser device 102. The overlaid compromise information informs the user ofthe likelihood that the ATM 106 is compromised and which components ofthe ATM 106 have been tampered with or physically modified.

Referring now to FIG. 4, a flow diagram of a method 400 of providingreal-time ATM status notifications using augmented reality is shown,according to an example embodiment. In various embodiments, the method400 is performed by the components shown in FIGS. 1-2 such thatreference may be made to the components of FIGS. 1-2 to aid thedescription of the method 400.

A captured ATM image is received at 402. In some arrangements, thecaptured ATM image is received by the ATM management circuit 122, and inparticular, the status analysis circuit 124 to be analyzed for potentialcompromises. In some arrangements, the captured image is a picture takenby a camera of the user device 102. In other arrangements, the capturedimage is a live-feed image (e.g., as a user views the ATM through in theviewing area 502) captured by the camera of the user device 102.

The captured ATM image is compared to a reference image and previouslycaptured images at 404. In some arrangements, the status analysiscircuit 124 is structured to determine the appropriate reference imageand previously captured images to use for a comparison, and complete acomparison of the captured image to the appropriate reference imagesstored in the ATM database 126. As noted above, the reference image(s)can include both a manufacturer image of the ATM 106 as well ashistorical crowd-sourced images of either that particular ATM 106 orATMs 106 of the same make and model.

It is determined whether a discrepancy is detected at 406. In somearrangements, by comparing the capture ATM image to the referenceimages, the status analysis circuit 124 determines whether a discrepancybetween the images is detected. If a discrepancy is not detected at 406,a pass message is transmitted to the user device at 408. In somearrangements, the pass message is transmitted by the notificationcircuit 128 of the ATM management system 122. The notification circuit128 is configured to transmit the compromise score to the user device102 to be displayed (e.g., overlaid) on the user device 102.

If a discrepancy is detected at 406, a compromise score is calculated at410. In some arrangements, the status analysis circuit 124 calculatesthe probability of a compromise of the ATM as the compromise score. Thecompromise score is calculated using the historical data of the ATM 106in combination with the ATM comparison information and signalinformation. The compromise score is calculated as a percentage oflikelihood that the ATM is compromised. In some other arrangements, thecompromise score is calculated as a percentage of likelihood that theATM is not compromised. In other arrangements, the compromise scorereflects a relative “pass” or “fail” score such that the compromisescore indicates how likely it is that the ATM either passes or fails theanalysis performed by the status analysis circuit 124. In somearrangements, the ATM location data and the make and model of the ATMmay also be used to determine the compromise score.

It is determined which component and how the ATM has been compromised at412. In some arrangements, the status analysis circuit 124 is configuredto compare all components of the ATM 106 to the reference imagecomponents to determine whether the overall look of the ATM matches withthe reference image and, in particular, if any of the components of theATM such as the card reader appears to be physically modified. Forexample, the captured image received by the status analysis circuit 124includes a captured image component of a card reader. The statusanalysis circuit 124 compares the captured image of the card reader tothe reference image card reader component to determine any physicaldifferences.

The compromise data is transmitted to the user device at 414. In somearrangements, the compromise data is transmitted to the user device 102by notification circuit 128. The notification circuit 128 is configuredto receive the compromise data from the status analysis circuit 124,package the data to be displayed on the user device 102 in the form ofan AR display, and transmit the data to the user device 102 for display.

After calculating the compromise score, the status analysis circuit 124communicates the compromise score to the notification circuit 128 tonotify appropriate entities (e.g., user using user device 102, supplierof the ATM 106). Accordingly, the status analysis circuit 124 iscommunicably and operatively coupled to the notification circuit 128. Insome arrangements, the notification circuit 128 is also structured totransmit a notification to an ATM supplier that an ATM 106 may have beencompromised in order to send out a maintenance crew to repair or replacethe ATM 106.

Referring to FIG. 5, an example user interface 500 of the user device isshown. The user interface 500 includes a viewing area 502, where theuser can view the ATM 106. A user lines up the viewing area 502 with theATM 106 to capture all components of the ATM 106, including, but notlimited to a machine overlay component 510, a card reader component 512,and a keypad component 514. The user interface 500 includes a text box508 displaying status indicators 516-522. As shown in FIG. 5, in thisexample, a check mark 516 next to “Machine Overlay” indicates that themachine overlay component 510 has passed the component check done by theATM management system 122. The user interface 500 shows an exclamationmark indicator 518 next to “Card Reader”, which indicates that the ATMmanagement system 122 has determined that the card reader 512 is likelycompromised. The overlay on the viewing area 502 displays a compromiseindicator 506 at the card reader 512 also indicating the card reader 512as the compromised component. Dash lines 520 and 522 next to “Keypad”and “No hidden camera” indicate that those components have yet to bechecked for compromises.

Referring to FIG. 6, an example user interface 600 of the user device isshown. The user interface 600 is an example of the interface generatedwhen a component, such as the card reader component 510 of FIG. 5, hasbeen deemed likely to be compromised. The user interface 600 includes aviewing area 602, where the user can view the ATM 106. In this case,upon a determination of a compromise score, the user interface 500 ofFIG. 5 is replaced by the user interface 600 of FIG. 6 to show thecompromise score and more details relating to the status history of theATM 106. The user interface 600 includes a text box 608 displaying acompromise score 616, which as shown, was calculated by the ATMmanagement system 122 to be 64%. The compromise score is also shownabove the viewing area 602 in the form of a slide display 606. The slidedisplay 606 may take various forms indicating to the user theprobability that the ATM 106 is compromised. As such the slide display606 may also be colorized such that when the slide display 606 is shownin a green color, the slide display 606 indicates a passing score andwhen the slide display 606 is shown in a red color, the slide display606 indicates a failing score. The overlay on the viewing area 602displays a compromise indicator 606 at the card reader 512 indicatingthe card reader 512 as the compromised component. The text box 608 alsoincludes a “View Previous Scores” selection option 618, a “Report thisATM” selection option 620, and a “Find another ATM” selection option622. Selection of the “View Previous Scores” selection option 618generates and displays the user interface 700 of FIG. 7. User interface700 displays a listing of dates 708, statuses 710, and compromise scores712 of the ATM 106.

Referring back to FIG. 6, in some arrangements, the selection of the“Report this ATM” selection option 620 may generate and display the userinterface 800 of FIG. 8. In some arrangements, if the user selectionsoption 620, the user is then brought to the interface 800 shown in FIG.8. FIG. 8 displays an interface 800 presented on the user device 102including a reward offer for reporting the ATM 106. The interface 800includes offer redemption instructions 802 and an offer redemptionmethod 804. The redemption instructions 802 instruct the user regardingthe next step to redeem the offer. After redemption, the redemptioninstructions 802 notify the user that the reward has been redeemed. Inthe case where the reward offer involves enabling the user to pay for anidentified transaction, the redemption instructions 802 prompt the userto take additional steps to redeem the offer. As shown, the redemptioninstructions 802 prompt the user to present the redemption method 804 toa merchant. As shown, the redemption method 804 is a Quick Response (QR)code through which the user can complete a previously identifiedtransaction, by having the merchant scan the QR code. As a person havingordinary skill in the art will appreciate, the appearance of the variousdepictions and graphics discussed herein will take on different formsbased on the plurality of different implementations.

Referring back to FIG. 6, selection of the “Find Another ATM” selectionoption 622 generates and displays the user interface 900 of FIG. 9. Userinterface 900 displays a listing of other ATMs 106 the user isproximate, along with the respective statuses 910 and compromise scores912 of those ATMs 106. A user can also select the “Done” option 624 toexit the user interface 600.

The arrangements described herein have been described with reference todrawings. The drawings illustrate certain details of specificarrangements that implement the systems, methods and programs describedherein. However, describing the arrangements with drawings should not beconstrued as imposing on the disclosure any limitations that may bepresent in the drawings.

It should be understood that no claim element herein is to be construedunder the provisions of 35 U.S.C. § 112(f), unless the element isexpressly recited using the phrase “means for.”

As used herein, the term “circuit” may include hardware structured toexecute the functions described herein. In some arrangements, eachrespective “circuit” may include machine-readable media for configuringthe hardware to execute the functions described herein. The circuit maybe embodied as one or more circuitry components including, but notlimited to, processing circuitry, network interfaces, peripheraldevices, input devices, output devices, sensors, etc. In somearrangements, a circuit may take the form of one or more analogcircuits, electronic circuits (e.g., integrated circuits (IC), discretecircuits, system on a chip (SOCs) circuits, etc.), telecommunicationcircuits, hybrid circuits, and any other type of “circuit.” In thisregard, the “circuit” may include any type of component foraccomplishing or facilitating achievement of the operations describedherein. For example, a circuit as described herein may include one ormore transistors, logic gates (e.g., NAND, AND, NOR, OR, XOR, NOT, XNOR,etc.), resistors, multiplexers, registers, capacitors, inductors,diodes, wiring, and so on).

The “circuit” may also include one or more processors communicativelycoupled to one or more memory or memory devices. In this regard, the oneor more processors may execute instructions stored in the memory or mayexecute instructions otherwise accessible to the one or more processors.In some arrangements, the one or more processors may be embodied invarious ways. The one or more processors may be constructed in a mannersufficient to perform at least the operations described herein. In somearrangements, the one or more processors may be shared by multiplecircuits (e.g., circuit A and circuit B may comprise or otherwise sharethe same processor which, in some example arrangements, may executeinstructions stored, or otherwise accessed, via different areas ofmemory). Alternatively or additionally, the one or more processors maybe structured to perform or otherwise execute certain operationsindependent of one or more co-processors. In other example arrangements,two or more processors may be coupled via a bus to enable independent,parallel, pipelined, or multi-threaded instruction execution. Eachprocessor may be implemented as one or more general-purpose processors,application specific integrated circuits (ASICs), field programmablegate arrays (FPGAs), digital signal processors (DSPs), or other suitableelectronic data processing components structured to execute instructionsprovided by memory. The one or more processors may take the form of asingle core processor, multi-core processor (e.g., a dual coreprocessor, triple core processor, quad core processor, etc.),microprocessor, etc. In some arrangements, the one or more processorsmay be external to the apparatus, for example the one or more processorsmay be a remote processor (e.g., a cloud based processor). Alternativelyor additionally, the one or more processors may be internal and/or localto the apparatus. In this regard, a given circuit or components thereofmay be disposed locally (e.g., as part of a local server, a localcomputing system, etc.) or remotely (e.g., as part of a remote serversuch as a cloud based server). To that end, a “circuit” as describedherein may include components that are distributed across one or morelocations.

An exemplary system for implementing the overall system or portions ofthe arrangements might include a general purpose computing computers inthe form of computers, including a processing unit, a system memory, anda system bus that couples various system components including the systemmemory to the processing unit. Each memory device may includenon-transient volatile storage media, non-volatile storage media,non-transitory storage media (e.g., one or more volatile and/ornon-volatile memories), etc. In some arrangements, the non-volatilemedia may take the form of ROM, flash memory (e.g., flash memory such asNAND, 3D NAND, NOR, 3D NOR, etc.), EEPROM, MRAM, magnetic storage, harddiscs, optical discs, etc. In other arrangements, the volatile storagemedia may take the form of RAM, TRAM, ZRAM, etc. Combinations of theabove are also included within the scope of machine-readable media. Inthis regard, machine-executable instructions comprise, for example,instructions and data which cause a general purpose computer, specialpurpose computer, or special purpose processing machines to perform acertain function or group of functions. Each respective memory devicemay be operable to maintain or otherwise store information relating tothe operations performed by one or more associated circuits, includingprocessor instructions and related data (e.g., database components,object code components, script components, etc.), in accordance with theexample arrangements described herein.

It should also be noted that the term “input devices,” as describedherein, may include any type of input device including, but not limitedto, a keyboard, a keypad, a mouse, joystick or other input devicesperforming a similar function. Comparatively, the term “output device,”as described herein, may include any type of output device including,but not limited to, a computer monitor, printer, facsimile machine, orother output devices performing a similar function.

Any foregoing references to currency or funds are intended to includefiat currencies, non-fiat currencies (e.g., precious metals), andmath-based currencies (often referred to as cryptocurrencies). Examplesof math-based currencies include Bitcoin, Litecoin, Dogecoin, and thelike.

It should be noted that although the diagrams herein may show a specificorder and composition of method steps, it is understood that the orderof these steps may differ from what is depicted. For example, two ormore steps may be performed concurrently or with partial concurrence.Also, some method steps that are performed as discrete steps may becombined, steps being performed as a combined step may be separated intodiscrete steps, the sequence of certain processes may be reversed orotherwise varied, and the nature or number of discrete processes may bealtered or varied. The order or sequence of any element or apparatus maybe varied or substituted according to alternative arrangements.Accordingly, all such modifications are intended to be included withinthe scope of the present disclosure as defined in the appended claims.Such variations will depend on the machine-readable media and hardwaresystems chosen and on designer choice. It is understood that all suchvariations are within the scope of the disclosure. Likewise, softwareand web implementations of the present disclosure could be accomplishedwith standard programming techniques with rule based logic and otherlogic to accomplish the various database searching steps, correlationsteps, comparison steps and decision steps.

The foregoing description of arrangements has been presented forpurposes of illustration and description. It is not intended to beexhaustive or to limit the disclosure to the precise form disclosed, andmodifications and variations are possible in light of the aboveteachings or may be acquired from this disclosure. The arrangements werechosen and described in order to explain the principals of thedisclosure and its practical application to enable one skilled in theart to utilize the various arrangements and with various modificationsas are suited to the particular use contemplated. Other substitutions,modifications, changes and omissions may be made in the design,operating conditions and arrangement of the arrangements withoutdeparting from the scope of the present disclosure as expressed in theappended claims.

What is claimed is:
 1. A method comprising: capturing, by a user device,an image of an automated teller machine (ATM); detecting, by the userdevice, a signal near the ATM; retrieving, by the user device,historical ATM data associated with the ATM; determining, by the userdevice, that the signal is indicative of the ATM being compromised basedon the historical ATM data; calculating, by the user device, acompromise score based at least on the determination that the signal isindicative of the ATM being compromised; generating, by the user device,compromise data including at least the compromise score; augmenting, bythe user device, the image of the ATM in a manner which reflects thecompromise score; and displaying, by the user device, the augmentedimage on a user interface of the user device.
 2. The method of claim 1,wherein the signal is separate from an ATM signal associated with theATM and is indicative of an ambient data capture device in an areaproximate the ATM.
 3. The method of claim 2, wherein the signal is oneof a Bluetooth signal or a Wi-Fi protocol signal.
 4. The method of claim2, wherein the ambient data capture device is one of an electronicreader attached to the ATM or a camera positioned to capture a user'sPIN from a distance away from the ATM.
 5. The method of claim 1, whereinthe historical ATM data comprises an ongoing log of detected signals atthe ATM.
 6. The method of claim 5, wherein determining that the signalis indicative of the ATM being compromised comprises: determining thatthe signal is a new signal that has not been detected at the ATM beforebased on the ongoing log of detected signals at the ATM.
 7. The methodof claim 5, wherein determining that the signal is indicative of the ATMbeing compromised comprises: determining that the signal is separatefrom an ATM signal associated with the ATM and has been detectedmultiple times at the ATM based on the ongoing log of detected signalsat the ATM.
 8. A provider computing system, comprising: a networkinterface; and a processing circuit comprising one or more processorscoupled to non-transitory memory, the memory comprising an automatedteller machine (ATM) database, and wherein the processing circuit isstructured to: receive a detected signal from a user device proximatethe ATM; retrieve historical ATM data associated with the ATM; determinethat the signal is indicative of the ATM being compromised based on thehistorical ATM data; calculate a compromise score based at least on thedetermination that the signal is indicative of the ATM beingcompromised; generate compromise data including at least the compromisescore; and transmit the compromise score to the user device to bedisplayed on a viewing area of the user device.
 9. The system of claim8, wherein the signal is separate from an ATM signal associated with theATM and is indicative of an ambient data capture device in an areaproximate the ATM.
 10. The system of claim 9, wherein the signal is oneof a Bluetooth signal or a Wi-Fi protocol signal.
 11. The system ofclaim 9, wherein the ambient data capture device is one of an electronicreader attached to the ATM or a camera positioned to capture a user'sPIN from a distance away from the ATM.
 12. The system of claim 8,wherein the historical ATM data comprises an ongoing log of detectedsignals at the ATM.
 13. The system of claim 12, wherein the processingcircuit is further structured to: determine that the signal is a newsignal that has not been detected at the ATM before based on the ongoinglog of detected signals at the ATM; wherein determining that the signalis indicative of the ATM being compromised is based on determining thatthe signal is a new signal that has not been detected at the ATM before.14. The system of claim 12, wherein the processing circuit is furtherstructured to: determine that the signal is separate from an ATM signalassociated with the ATM and has been detected multiple times at the ATMbased on the ongoing log of detected signals at the ATM; whereindetermining that the signal is indicative of the ATM being compromisedis based on determining that the signal is separate from an ATM signalassociated with the ATM and has been detected multiple times at the ATM.15. A mobile device, comprising: a network interface circuit structuredto communicate data to and from a provider computing system associatedwith a provider; a sensor structured to detect a signal; an input/outputdevice structured to exchange data with a user; and a processing circuitcomprising a processor and memory, the processing circuit structured to:capture, by the input/output device, an image of an automated tellermachine (ATM); detect, by the sensor, the signal near the ATM; retrievehistorical ATM data associated with the ATM; determine that the signalis indicative of the ATM being compromised based on the historical ATMdata; calculate a compromise score based at least on the determinationthat the signal is indicative of the ATM being compromised; generatecompromise data including at least the compromise score; augmenting theimage of the ATM in a manner which reflects the compromise score; anddisplay, by the input/output device, a user interface including theaugmented image.
 16. The mobile device of claim 15, wherein the signalis separate from an ATM signal associated with the ATM and is indicativeof an ambient data capture device in an area proximate the ATM.
 17. Themobile device of claim 16, wherein the signal is one of a Bluetoothsignal or a Wi-Fi protocol signal.
 18. The mobile device of claim 15,wherein the historical ATM data comprises an ongoing log of detectedsignals at the ATM.
 19. The mobile device of claim 18, wherein theprocessing circuit is further structured to: determine that the signalis a new signal that has not been detected at the ATM before based onthe ongoing log of detected signals at the ATM; wherein determining thatthe signal is indicative of the ATM being compromised is based ondetermining that the signal is a new signal that has not been detectedat the ATM before.
 20. The mobile device of claim 18, wherein theprocessing circuit is further structured to: determine that the signalis separate from an ATM signal associated with the ATM and has beendetected multiple times at the ATM based on the ongoing log of detectedsignals at the ATM; wherein determining that the signal is indicative ofthe ATM being compromised is based on determining that the signal isseparate from an ATM signal associated with the ATM and has beendetected multiple times at the ATM.